If you've ever asked "how does a Kosher iPhone actually work?", this guide is for you. We'll cover every layer — from Apple's DEP program down to the MDM policies that keep Safari off the device — in enough detail that you can make an informed decision.
Layer 1 — Apple DEP (Device Enrollment Program)
Apple's DEP is how enterprises receive iPhones that are pre-bound to their management system from the factory. When we buy iPhones for our customers, they're ordered through DEP — and the moment the phone boots for the first time, it reaches out to Apple's DEP servers, is told "this device belongs to The Kosher iPhone's MDM," and enrolls itself automatically.
The user never sees "accept this management profile?" The enrollment happens before the setup screen. Supervision is live from the first tap.
**This is different from post-purchase enrollment**, where a user has to actively install a configuration profile. Post-purchase enrollment can be undone by the user. DEP enrollment cannot — the device is permanently associated with our MDM until we explicitly release it.
Layer 2 — Mobile Device Management (MDM)
MDM is Apple's protocol for letting an administrator configure iPhones remotely. It's the same system enterprises use to manage employee devices, schools use to manage student iPads, and governments use to manage classified-work phones.
Our MDM server talks to your iPhone every few minutes over a secure HTTPS channel. It pushes policies (what apps are allowed, what restrictions apply), receives status (compliance, iOS version, enrollment health), and handles commands (install this app, lock the device, wipe it remotely).
Crucially: the MDM server is the source of truth for policy. The policy is not stored in a way the user can modify. No password to enter. No setting to toggle. The policy on the device is whatever the server most recently said.
Layer 3 — Supervised Mode
Supervised Mode is a special state of the iPhone that unlocks additional MDM capabilities. A non-supervised MDM-enrolled iPhone can only apply a subset of restrictions. A supervised MDM-enrolled iPhone can apply the full enterprise restriction set — including the one that matters most: **removing Safari, the App Store, and AirDrop entirely from the device**.
Supervision is set during DEP enrollment (happens automatically on first boot for our devices). It survives factory resets. It survives iOS updates. It survives device backups and restores.
The only way out: the MDM operator (us) removes the device from our account. Even then, the user needs to factory-reset the phone after removal for Supervision to fully disappear.
Layer 4 — App Whitelist
Once supervised, we push the **app whitelist** to the device. This is the curated list of apps you and your family approved during onboarding.
The whitelist isn't a "block these, allow everything else" model. It's the opposite: the apps on the whitelist are the ONLY apps that can exist on the device. Everything else is blocked at the install level — not post-install.
When you request a new app to be added, we update the whitelist on our MDM server, and the device receives the update on its next check-in (usually within minutes). The app installs itself, pre-approved, no user intervention required.
Layer 5 — Content Filter (belt + suspenders)
The app whitelist alone stops 99.5% of problems — users cannot install browsers or unsanctioned apps. But for the traffic that DOES flow (email, maps, banking), we also apply a **DNS-level content filter** as a safety net. This catches edge cases: if an approved app has an in-app browser view that could reach problematic content, the filter blocks it.
This is why we call ourselves belt-and-suspenders: app-level whitelist + OS-level supervision + DNS-level content filter. Three layers. Any two could fail and protection would still hold.
Layer 6 — Ongoing management
The MDM relationship doesn't end at configuration. Our management team checks device health daily, updates the content filter list weekly, approves new app requests typically within hours, responds to lost-device reports within minutes, and tests iOS updates on internal devices before releasing them to your phone.
This is what you're paying for monthly. Not a one-time setup — a lifetime management relationship.